The Azure management group is one more good step towards azure resource governance. It creates a hierarchical structure based on business division, geographic location, or function which gives more control in applying policy and compliance. It is very helpful in multiple subscriptions environment. It is very similar to the organizational unit (OU) in Microsoft Active Directory. We create an OU structure to apply group policy based on the department or based on any other required structure. Azure management group gives us the same experience for the Azure subscription to apply policy and compliance. The applied group policy for the OU gets reflected on Active Directory’s objects such as user and computer account whereas the applied policy for the management group gets reflected on the resources of the subscription under that management group.
Let’s understand the need of the management group by this example. Suppose, we don’t want to allow anyone to provision resources without a tag. In this case, create a management group hierarchy and apply the policy at the root level. All the subscriptions will inherit the policy from the root management group. Another example, we want all the VMs for the Dev&Test environment should be provisioned on the West Europe region only. In this case, apply the policy to the management group which contains all the Dev&Test subscriptions. The policy will be inherited by the subscriptions under the Dev&Test management group only. If anyone creates any resource other than West Europe for Dev&Test then it will fail. One more example, we want the VM size for the Dev&Test environment should be DS3_V2 only then it can be achieved easily by applying the policy to the Dev&Test management group.
Another use case of management groups is to assign role-based access control (RBAC). The subscription will inherit the user access according to the management group. Here, we are going to have a quick look at how to create a management group and assign subscriptions to it. We will create two management group Production Environment and Dev&Test for this demonstration. Root-level management will be created automatically once we create the first management group in the directory.
Creating Management Groups
- Click All Services and search for Management groups, and click on it. In the new window click on Add management group.
2. Select Create new and specify the following parameters and click on Save.
- Management group ID: ProductionEnvironment
- Management group display name: Production Environment
Repeat the above step to create a Dev&Test management group.
3. After that, we need to move the subscription to the desired management group. Here, I am moving the Microsoft Azure Sponsorship subscription to the Production Environment management group. Click on Move as highlighted.
4. Select Production Environment from the drop-down list and click on Save.
Repeat the above step to move other subscriptions to the desired management group.
5. Click on the Production Environment management group and we can see all the subscriptions under it. We can also find all the applied policies for the management group by clicking on Policies if there are any.
For enterprise scaffolding and best practices refer to Microsoft Documentation. Implementation of the Azure management group and policy will help in mitigating security risks and achieving the organization’s mission.